Analysis

  • max time kernel
    143s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/10/2024, 09:52

General

  • Target

    179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe

  • Size

    338KB

  • MD5

    179a81e1174983c3e0daa57cb85d745d

  • SHA1

    656b2b7cb178f2cef1ada8dc2197587e680740af

  • SHA256

    332c59bfef437e08870e955030bfbbd2e56b3ccf257b87f38c3318f39860de58

  • SHA512

    2f0ec1974759cbc3294691d45e50fd66854b6199f35e64743eaad60540cf03f26c001fd229c05b1ecc0300744e76aeeb7967e391dd0b6ecf50984ea788846a59

  • SSDEEP

    6144:X44EAEGxYSNuwZN+P0GUcjfmlqLErpeKmDXmBSs0AKUEURq7X13SvPHg:X42pYSJ+Pq8+lh/mDXy0AKUHEz1Cvvg

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\restore_files_gmnoc.txt

Ransom Note
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! What happened to your files ? All of your files were protected by a strong encryption with RSA-2048. More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) What does this mean ? This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them. How did this happen ? Especially for you, on our server was generated the secret key pair RSA-2048 - public and private. All your files were encrypted with the public key, which has been transferred to your computer via the Internet. Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server. What do I do ? Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed. If you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://kwe2342fsd.rt546sdf234re.com/78ACCECC2F2698A 2. http://awoeinf832as.wo49i277rnw.com/78ACCECC2F2698A 3. https://wls3uapur3zjm5gm.onion.to/78ACCECC2F2698A If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: wls3uapur3zjm5gm.onion/78ACCECC2F2698A 4. Follow the instructions on the site. IMPORTANT INFORMATION: Your personal pages: http://kwe2342fsd.rt546sdf234re.com/78ACCECC2F2698A http://awoeinf832as.wo49i277rnw.com/78ACCECC2F2698A https://wls3uapur3zjm5gm.onion.to/78ACCECC2F2698A Your personal page (using TOR): wls3uapur3zjm5gm.onion/78ACCECC2F2698A Your personal identification number (if you open the site (or TOR 's) directly): 78ACCECC2F2698A
URLs

http://kwe2342fsd.rt546sdf234re.com/78ACCECC2F2698A

http://awoeinf832as.wo49i277rnw.com/78ACCECC2F2698A

https://wls3uapur3zjm5gm.onion.to/78ACCECC2F2698A

http://wls3uapur3zjm5gm.onion/78ACCECC2F2698A

Extracted

Path

C:\Program Files\7-Zip\Lang\restore_files_gmnoc.html

Ransom Note
<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; } .ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center> <div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"> <b><font class="ttl">What happened <!------sfg2gdfstw5ey3345 --> to your files?</b></font><br> <font style="font-size:13px;">All of your files were<!------sfg2gdfstw5ey3345 --> protected by a strong<!------sfg2gdfstw5ey3345 --> encryption with<!------sfg2gdfstw5ey3345 --> RSA-2048 <br> More information about the <!------sfg2gdfstw5ey3345 -->encryption RSA-2048 can be<!------sfg2gdfstw5ey3345 --> found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font> <br><b><font class="ttl">What <!------sfg2gdfstw5ey3345 --> does this mean?</b></font><br><font style="font-size:13px;"> This<!------sfg2gdfstw5ey3345 --> means that the <!------sfg2gdfstw5ey3345 --> structure and data within your files have been irrevocably <!------sfg2gdfstw5ey3345 -->changed, you will not be able to work<br> with them, read<!------sfg2gdfstw5ey3345 --> them or see them, it is the same thing <!------sfg2gdfstw5ey3345 -->as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private. <br>All your <!------sdkfg3265436456hdfskjghfdg --> files were encrypted with the public key, <!------sdkfghd456334565436fskjghfdg --> which has been <!------sdkfghd45363456fskjghfdg --> transferred to <!------sdkfghdfskjghfdg -->your computer via <!------sdkfghd4356345643564356fskjghfdg -->the Internet.<br> <!------sdkfghd34563456fskjghfdg --> Decrypting of <!------sdkf45363456ghdfskjghfdg -->YOUR FILES is <!------sdkfghdfs4563456kjghfdg -->only possible <!------sdkfgh45364356dfskjghfdg -->with the help of the <!------sdkfghd4563456fskjghfdg -->private key and <!------sdkfghd43563456fskjghfdg -->decrypt program, <!------sdkfghdf43564356tyretyskjghfdg -->which is on our <!------sdkfgh34565346dfskjghfdg -->SECRET SERVER!!!. </font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br> <!------23452345dgtwertwre --><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr> <!------sadfs32452345gfdsgsdfgdfsafasdfasdfsadf --><b>1.<a href="http://kwe2342fsd.rt546sdf234re.com/78ACCECC2F2698A" target="_blank">http://kwe2342fsd.rt546sdf234re.com/78ACCECC2F2698A</a></b><br> <!------ds234523452345fgwert --><b>2.<a href="http://awoeinf832as.wo49i277rnw.com/78ACCECC2F2698A" target="_blank">http://awoeinf832as.wo49i277rnw.com/78ACCECC2F2698A</a></b><br> <!------wer234524353245terwtewrt --><b>3.<a href="https://wls3uapur3zjm5gm.onion.to/78ACCECC2F2698A" target="_blank">https://wls3uapur3zjm5gm.onion.to/78ACCECC2F2698A</a></b><br> <!------sfg2gdfstw5ey3345 --></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installation, run the browser and wait for initialization.<br>3. Type in the address bar: <font style="font-weight:bold; color:#009977;">wls3uapur3zjm5gm.onion/78ACCECC2F2698A</font><br>4. Follow the instructions on the site.</div><br><br><b>IMPORTANT INFORMATION:</b><br><div class="tb" style="width:790px;"> Your Personal PAGES: <b><br> <a href="http://kwe2342fsd.rt546sdf234re.com/78ACCECC2F2698A" target="_blank">http://kwe2342fsd.rt546sdf234re.com/78ACCECC2F2698A</a> <br> <a href="http://awoeinf832as.wo49i277rnw.com/78ACCECC2F2698A" target="_blank">http://awoeinf832as.wo49i277rnw.com/78ACCECC2F2698A</a> <br> <a href="https://wls3uapur3zjm5gm.onion.to/78ACCECC2F2698A" target="_blank"> https://wls3uapur3zjm5gm.onion.to/78ACCECC2F2698A</a> </b> <br> Your Personal PAGE (using TOR): <font style="font-weight:bold; color:#009977;">wls3uapur3zjm5gm.onion/78ACCECC2F2698A</font><br> Your personal code (if you open the site (or TOR 's) directly): <font style="font-weight:bold; color:#770000;">78ACCECC2F2698A</font><br> </div></div></center></body></html>
URLs

https://wls3uapur3zjm5gm.onion.to/78ACCECC2F2698A</a>

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (892) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Interacts with shadow copies 3 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3828
    • C:\Users\Admin\AppData\Roaming\vcwqkn.exe
      C:\Users\Admin\AppData\Roaming\vcwqkn.exe
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1064
      • C:\Windows\System32\vssadmin.exe
        "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
        3⤵
        • Interacts with shadow copies
        PID:3584
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RESTORE_FILES.TXT
        3⤵
        • System Location Discovery: System Language Discovery
        • Opens file in notepad (likely ransom note)
        PID:2636
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RESTORE_FILES.HTML
        3⤵
        • Enumerates system info in registry
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:1228
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc0b1c46f8,0x7ffc0b1c4708,0x7ffc0b1c4718
          4⤵
            PID:3936
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,16064099033821524635,2852839732782219080,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
            4⤵
              PID:1708
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,16064099033821524635,2852839732782219080,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
              4⤵
                PID:4036
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,16064099033821524635,2852839732782219080,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
                4⤵
                  PID:2740
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16064099033821524635,2852839732782219080,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
                  4⤵
                    PID:1076
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16064099033821524635,2852839732782219080,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
                    4⤵
                      PID:2392
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,16064099033821524635,2852839732782219080,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 /prefetch:8
                      4⤵
                        PID:3552
                      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,16064099033821524635,2852839732782219080,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 /prefetch:8
                        4⤵
                          PID:3352
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16064099033821524635,2852839732782219080,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
                          4⤵
                            PID:1200
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16064099033821524635,2852839732782219080,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
                            4⤵
                              PID:2300
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16064099033821524635,2852839732782219080,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
                              4⤵
                                PID:3376
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16064099033821524635,2852839732782219080,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
                                4⤵
                                  PID:4588
                              • C:\Windows\System32\vssadmin.exe
                                "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
                                3⤵
                                • Interacts with shadow copies
                                PID:4088
                              • C:\Windows\SysWOW64\cmd.exe
                                "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Roaming\vcwqkn.exe >> NUL
                                3⤵
                                • System Location Discovery: System Language Discovery
                                PID:5016
                            • C:\Windows\SysWOW64\cmd.exe
                              "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\179A81~1.EXE >> NUL
                              2⤵
                              • System Location Discovery: System Language Discovery
                              PID:2312
                          • C:\Windows\system32\vssvc.exe
                            C:\Windows\system32\vssvc.exe
                            1⤵
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2536
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:372
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:2252

                              Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Program Files\7-Zip\Lang\restore_files_gmnoc.html

                                      Filesize

                                      4KB

                                      MD5

                                      4041998a77d16cc643ef1674f66cac2e

                                      SHA1

                                      2f95ef2609c297e1e6c9fb33849a9605eb81ed7a

                                      SHA256

                                      a1cb1978742bebe88a7cc9e1aebfb54fb630daf6fa90723d7233caea85d6721b

                                      SHA512

                                      2df14aa66ca270009d7ded7085ddcecb37ac4aa39390fcaea0e2c2c7119eaf75ab6a8e3d1b56f2183c63db3e9b4ad6d432c6185741cc7b8f047c6527ba6fca24

                                    • C:\Program Files\7-Zip\Lang\restore_files_gmnoc.txt

                                      Filesize

                                      2KB

                                      MD5

                                      c6e20fdbbb08c3dc0dfc9c69d375a166

                                      SHA1

                                      8e1e64d05fefeb2b2936bf2abd14177635011a6a

                                      SHA256

                                      f60d89b34517db789186e9531293f75667820da2d13d7114c97adb1491569b9f

                                      SHA512

                                      681d886bfba05025e7132cbcc95f5da08c68bc4b342e829b0aace30f62d6b839c0844170b21d67240f5716ddbf07300a197edd9211ddae27fcc53e2f56fb3684

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                      Filesize

                                      152B

                                      MD5

                                      719923124ee00fb57378e0ebcbe894f7

                                      SHA1

                                      cc356a7d27b8b27dc33f21bd4990f286ee13a9f9

                                      SHA256

                                      aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808

                                      SHA512

                                      a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                      Filesize

                                      152B

                                      MD5

                                      d7114a6cd851f9bf56cf771c37d664a2

                                      SHA1

                                      769c5d04fd83e583f15ab1ef659de8f883ecab8a

                                      SHA256

                                      d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e

                                      SHA512

                                      33bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                      Filesize

                                      111B

                                      MD5

                                      285252a2f6327d41eab203dc2f402c67

                                      SHA1

                                      acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

                                      SHA256

                                      5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

                                      SHA512

                                      11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                      Filesize

                                      111B

                                      MD5

                                      807419ca9a4734feaf8d8563a003b048

                                      SHA1

                                      a723c7d60a65886ffa068711f1e900ccc85922a6

                                      SHA256

                                      aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

                                      SHA512

                                      f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                      Filesize

                                      5KB

                                      MD5

                                      829693059107f935f965ac5a633c095a

                                      SHA1

                                      566b9c9104d9569f4c9b32698d9a0b2fc4bec918

                                      SHA256

                                      8291f3bc4cf0e65d30e5cfa6ae72aa6ce1dbe096876f35d23ca3f87e2a6c3161

                                      SHA512

                                      5035ee7c57887c7b6f842a46e6e878c57a29cfb0f751189bc49ad8f5754af8a83f239e7c1902b7183c2ce597602541b3b50107c3bd582fb08a9af4a86ca156f2

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                      Filesize

                                      6KB

                                      MD5

                                      1c7b0440625c223d8c37f16a98b7c761

                                      SHA1

                                      cf7d919f3d1b8620bd6056d094233f7fc157d300

                                      SHA256

                                      51147714a3a14bb35121bc831aacbf08ac02421e855fcdd571ccd9e7420b7f25

                                      SHA512

                                      ecc987afd80c34e15a851c9b19698eaf9eac65c417d6907367b4186a198ce77d6f5973c181bff636cc15ca35a9624daff368fddcb7bd2f86f5b108628f8d62a9

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                      Filesize

                                      16B

                                      MD5

                                      6752a1d65b201c13b62ea44016eb221f

                                      SHA1

                                      58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                      SHA256

                                      0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                      SHA512

                                      9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                      Filesize

                                      10KB

                                      MD5

                                      d466b245071318f6ecfe052443f0dc84

                                      SHA1

                                      3c2f9930d02c2a0356f23501affcd92e3a9ee14d

                                      SHA256

                                      3696cd88cdbd860d05380cf52663935ad01b5d394106d6f751c11fc5e8772651

                                      SHA512

                                      56f84481f2fafd0df705c0b7914432f4f7331497c2f0232ffbf8c70a6fc5decc495d5b3edfc85b8443fe7e4cbc5f9abbc0c613d1db0035136132f4126b0ac246

                                    • C:\Users\Admin\AppData\Roaming\vcwqkn.exe

                                      Filesize

                                      338KB

                                      MD5

                                      179a81e1174983c3e0daa57cb85d745d

                                      SHA1

                                      656b2b7cb178f2cef1ada8dc2197587e680740af

                                      SHA256

                                      332c59bfef437e08870e955030bfbbd2e56b3ccf257b87f38c3318f39860de58

                                      SHA512

                                      2f0ec1974759cbc3294691d45e50fd66854b6199f35e64743eaad60540cf03f26c001fd229c05b1ecc0300744e76aeeb7967e391dd0b6ecf50984ea788846a59

                                    • memory/1064-15-0x00000000006A0000-0x00000000006A4000-memory.dmp

                                      Filesize

                                      16KB

                                    • memory/1064-7961-0x0000000000400000-0x0000000000521000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/1064-7863-0x0000000000400000-0x0000000000521000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/1064-3090-0x0000000000400000-0x0000000000521000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/1064-18-0x0000000074CD0000-0x0000000074D09000-memory.dmp

                                      Filesize

                                      228KB

                                    • memory/1064-8012-0x0000000074CD0000-0x0000000074D09000-memory.dmp

                                      Filesize

                                      228KB

                                    • memory/1064-8011-0x0000000000400000-0x0000000000521000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/1064-7859-0x0000000000400000-0x0000000000521000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/1064-12-0x0000000000400000-0x0000000000521000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/3828-0-0x00000000006D0000-0x00000000006D3000-memory.dmp

                                      Filesize

                                      12KB

                                    • memory/3828-5-0x00000000006E0000-0x00000000006E4000-memory.dmp

                                      Filesize

                                      16KB

                                    • memory/3828-6-0x0000000074CD0000-0x0000000074D09000-memory.dmp

                                      Filesize

                                      228KB

                                    • memory/3828-1-0x0000000000400000-0x0000000000521000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/3828-17-0x0000000074CD0000-0x0000000074D09000-memory.dmp

                                      Filesize

                                      228KB

                                    • memory/3828-16-0x0000000000400000-0x0000000000521000-memory.dmp

                                      Filesize

                                      1.1MB